Hi Niko,

On Thursday 4 September 2008 07:15, Niko Tyni wrote:

> I just noticed the CGIWrap upstream homepage at
> http://cgiwrap.sourceforge.net/ has this security notice:
>
>  CGIWrap 4.1 update protects against a cross-site scripting vulnerability
>  in the error page handling due to how some browsers behave when a
>  charset is not specified. CGIWrap now sets a default charset and allows
>  overriding it during the configure process.
>
>  Advisories:
>
>     * http://jvn.jp/en/jp/JVN45389864/index.html (English)
>     * http://jvn.jp/jp/JVN45389864/index.html (Japanese)
>
> This is CVE-2008-2852. I haven't actually verified it in the Debian
> version, but pre-4.1 versions are listed as vulnerable. This includes
> the version in Etch.

Indeed. Unfortunately I couldn't find specifics on how this is exploited.

Still, judging from the description the impact seems to be limited: only some 
charsets and a specific browser are affected. Plus, the patch is not really 
adequate since it compiles in the charset.

I don't think we should be issuing a DSA for this issue.

> I'm not sure about the severity, CC'ing the security team.  Note that
> this package is orphaned and the last maintainer upload was in 2005.
> It might make sense to remove the package from lenny.

Yes, I think so. Can you take care of that?


Thijs

Attachment: pgpasDoYpvUsf.pgp
Description: PGP signature

Reply via email to